Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

As for the Nea issue. I've found her to be a fair mod, but if you have an issue bring it up with nyko or myself and we'll look into it. If you could provide specific instances of where you think she's unfair then that'd help.

As for CSRF have a look at http://en.wikipedia.org/wiki/CSRF and http://blogs.securiteam.com/index.php/archives/192

It's not specific to image. It's creating a request to another site which causes something the user doesn't want. That logout link you posted is an example, but a pretty trivial. Imagine doing <img src="http://www.example.com/user_act.php?action=change_password&pw=snowwhite" />. Or imagine <img src="http://www.example.com/user_act.php?action=cancel_account" />

As for the exact difference between this and XSS, the line is blurred. The terms need to be re-created.

As far as the Nea thing goes, she warned be once because I asked a question about a dedicated server in the off topic section instead of the "nzone" hardware section, and another time because in a thread about some kid committing suicide, I wrote that anyone that considers suicide deserve to die anyways. If OI remember correctly, you commented back with a humorous, "I think they're banking on that", or something along those lines. However, she felt the need to warn me.

CSRF and XSS have nothing to do with each other.
Well, it may be that CSRF is simpler to do if you have an XSS somewhere, but they're not related in the functionality.
It's a common confusion that CSRF (aka XSRF) is compared with XSS. XSS is more a "static" data validation problem, while CSRF most likely is one of the application's logic.

Before CSRF became popular, the terms Web trojan and Client-Side Trojan are also used (I guess first by Sverre Huseby). IMHO these terms describe better what's going on.
I personally prefer Session riding in most cases, 'cause that describes that it is a session (logic) problem, not one of data validation, in particular if there is a session id in use, somehow (wether cookie or basic auth).

I don't know why but I've always thought that these naming issues were completely pedantic. XSS for instance is just about the worst named acronym I can think of, as it completely fails to describe the nature of the attack in many ways. I don't really care what the name is, as long as we all know what we are talking about, and in both the cases of CSRF/Session Riding (I'm open to using either) and XSS I think everyone understands what we are talking about.

Im really interested in CSRF, although this forum isnt as active as the XSS related ones, i'd be interested to read any CSRF exploits in sites that people have found, in sort of a So it begins thread for CSRF as im sure many other people would. So if any CSRF 'exploits' are found in websites i hope people will share and discuss, i have a dream that one day CSRF will be discussed as much as XSS...

Well maybe im not that passionate about it, but i like to know as much as i can about as many different areas of security, and as im relatively new to CSRF im quite hungry for real world uses and general examples...

I built a real-world example during a penetration test, to prove that I could force a user to change their email address to whatever I want. That combined with other issues in the site gave me complete access to the user's account and worse.

I'm interested in CSRF, but it's far less complex topic than XSS which is why I think we tend to talk about it a little less. Do you have any particular questions to spark some conversations?

Im not sure whether i agree or not with the complexity of the two being more for XSS, on a basic level for example <img src=domain.com/password.php?newpass=omghaxed> then yeah i would agree XSS is far more complex than this, but CSRF requires alot more thought on CAPTCHA evasion or randomly generated hashs etc.. I think they both have simple levels to them, but thinking out of the box and taking it beyond the obvious methods is what defines the complexity of either method. Anyway yes, I do have a particular question as of 5minutes ago, i was reading the 'Fun ideas for a myspace worm thread' and somebody mentioned deleting tom from there friends list, i don't mean to pick on myspace, but its a very large site with fairly good security in mind so i chose this, anyway, i made some code to automatically delete tom from the users profile upon viewing, the trouble is some variables that need to be used, I wouldnt say im the most clued up person in AJAX although i have had a browse, anyway, my code was

As you can see there are only 3 different variables that effect the ability of this page to automatically delete a friend from the users list Mytoken, HASH, and your friend ID, i was thinking of using AJAX for this, could anyone give me pointers, or possible code examples for implementing this.

I no iv double posted but i didnt wana confuse people by adding more to what iv already put and to let them know that i have came back to this after more thought.
For actual use of this, being able to delete tom automatically where would the code go, i mean it'd have to be placed on the page where the hash, token, and friendID of the victim are all present...

Anyway, if anyone still has an answer to the AJAX issues i am facing, please let me no just out of curiosity.

Okay another idea was to use the ajax to send the different variables to a php script on my server which would then log them nicely into a text file, but when i tried this i sniffed the connection to see if anything was happening and i got a request for crossdomain.xml so im guessing there are policies on this sort of this happening. So then i thought i could just PM the variables to my self on myspace, but by this point im way out of my depth, throwing sloppy code together just trying to put my ideas across. To which i came up with this...

Take not the messaging url for myspace is just an example (obviously), what im trying to show is a way of bypassing the crossdomain policy to be able to PM yourself or post on your blog or anything information about the user that has visited your profile, such as the hash, friendID and tokens etc... this is all going quite mad at the moment, i appreciate there is alot to read...so i await your feedback people.

Hmmm... I'm not sure I'd agree with your disagreement. :) CAPTCHAs, and randomly generated hashes can affect XSS as well. Those I think are very separate issues and should be considered separate as to not confuse the actual issue. CAPTCHAs and tokens can be put anywhere, including the front page of the website, preventing anything, including SQL attacks, PHP includes, the works. Very different.

Anyway...

I wish I could help with the MySpace thing, but I've long since deleted my MySpace account after some blonde real estate agent started stalking me using it. Creepy.